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EXAMINER'S AMENDMENT 

1. An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Patrick Daugherty on December 12, 2007. 

The application has been amended as follows: 

Please amend the TITLE as follows: 

M e thod, program and for Automatically detecting malicious computer 
network reconnaissance by updating state codes in a histogram. 



Please amend the CLAIMS as follows: 
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1 . P^rcsently Amended) A method to detect unauthorized leconnais^ance or 
&c4uixii3ig of a comput&r network comprismg- A ^ acts ofi 
oioni'tori commiinicati c\t\R wifliin fhe oetwoik; 

detecting a predefined sequential triplet of TCP/IP protocol set packets flowing 
within saidcommunication s^ each of the predefined segtientiaJ tripl et packgla camDrJS»i& 
a sourec addr^s fields a taxget devios address fitslJ, a suuice poit field a target 

dt^vicc puLtileld^ coDiprismg Iho otcpo oft 

pTOvj/tiiifT a hififcn pram ir> l yhich. States of the pre/ tftfined sequence of 

packets are tt^c^tntsktf^^J^_ the hi<?tngram tncluding a ^Tp^p parirtioned mt o a first 

•field m which source add resses of n etwork devices are kept and a second lieid 

o oncatenated to the first field: 

dvnamlcallY updating said hiBtuanun reelected ones of pr^rf^ffwe^ 
t!«x|Liciiw uf fiajcikets is ddooted bv initifr liTnnp- or jpcicmcmlmg a strie code field in 
response to an order in which naiskets m the predefined sg^uence of packftts ane_ 
det(M;ted: concafenatmg a source, addmss field- a target devicfi address field, a 
sflitfGe port fietd and a target dev ice port field of a packet of the pradatined 
sequential trio let into the table tirst and second tieids as an ordered fonr-tutple: 
bashing the ordered four-tuple; and usincL the hashed oideargd fom-tuple as a 
higtogram locadun iijJea: 

obacrving on initial S YN packet originatmg fiom a source address; 

detecting a next sequexktial SYNiyACEC packet ifwiiing from a target device 
address in response to the SYN packet; and 

detecting a last $equratiai RST packet oiiginatmg Ixom the source address 
in respond to the S YN/ACK packet; and 

issuing an alert indicating unaiilhoiizcd scanning if the predefined sequence of 
packdd die each relevant to the source addres s and if the state code field has an alert 
value. 
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ClAitn?; 2-7. (Cancelled) 

j iJ, CCunenHyAmeaded) ThemcUiodufclainiI4]J, wherein the iaai^ 

flirttmr iuvlmliis9 seading o message to em admmistroior. 

9. (Currently Ameodftd) The method of daim [4-] 1 wherein the issuing 

fiirfher includes blocking future packets comprising the source address, the target device 
aiidress and a target device port address, 

I 10. (Currciitly Amended) The method of cldm [4 ] 1 wher&in issuing fiirther 

ineludcs mto-Iixniting flows of paekete compneing the source address. 

1 1-24, (Cancelled)- 

25. (Presently Amended) A method to deploy an iujtni&iQn deteuduu sy istvm ou & 
I networ k deviu c imjludm^ acts o f comprising : 

providing on cdgorifbrn to detect a predefined sequential triplet of TCP/IP pnitocol 
packets; 

pT pviding a table to reco rd at least one characteristic to identify network dgvices 
and sf cite co de corresponding to a sequence in which, the nredefined sequential triplet of 
packets are received, wherein each of the predefined sBquenlial triul^l uackets comprise 
a source address fields a Lancet device address field, a source pott field and a1argot_ 
device rK>rt field:: 

HynafTnicallv xipdating a histogram bv concatenating ^ ^niTiY^ft address fidd. a target 
rifivicp address fi&Id. a source noTt f }^^^ ^ target devi ce nort field of a. packet of the 
predetme d sequential tr iolet into a histogram table tieid as an ordered four-tuple: hashing 
the ordered four-tuple: and using flie hashed mrdered four-iuplc as ah i^^^'p,'**^' ingaiif»^ 
ind^CLand 
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genf^ratiTig an alert if the predefined triplet of packets is detected and the ttiplet 
packets ai^ eadi r&kvaist to a source address; 

wbLercin tbe triplet comprises an initial S YN packet originatmg from Hho source 
addres.s, a next sequenliid S YN/ACK packet issuing fi?om a target device address in 
response to die SYN packet, and a last sequential RST padcet arigiMf ing from the 
aouroe oddretss in response to the S YN/ACK paclcet. 

Claimy 26-29. (CanceEed) 

30* (Pres^Uy AmiendBd) A metliod to protect devices from jcnalicious attacks 
launcb&d on a computer laetwoik iTig^iu dmg th e acUi of comprising : 

providing on a device to bepfOtecled » sofhram program that monitors packets^. 
the soihvarft prngram include a tabl fr f^n^aitiinp mdes whnse values renregent detection 
of o ne of the pred efiiued set of laackcts and at least one source address asscxsiated with at 
least one oi tbe codes, each of the pfftHftfrnerf sequential triplet packets compriaiii^ a 
source addi^ field, a target device addieaat JlclJ, a souice port ficLd and a target device 
port field: 

HyTi^mt^QllY updatin p a histogram by cc»tic;a:tgnating a sn-urne address field- a 
tajttgt device, addrftss fielfL a source pnrt field and a. target dcv ioc port field of a packet of 
the predefined sequential tri plet into a histogram table field as an ordered tb ur^tuple: 
hashing: the ordered four-tuple: and using the hashed ordered four-tup le as a histogram 
location index; and 

b$uhig an alert if a predefined scqxucntial triplet of TCPyiP protocol packets are 
detected and the triplet padoets are each relevant to a source ddHre<ss; 

wherein the triplet comprises an initial SYN packet originating from the source 
address, anext seqiiential S YN/ACK packet issuing liom a target device address in 
response to the SYN packet, and a last sequential RST packet origmaflngftom the 
source address in response to the SY>[/ACKL p»ckcL 

3 1 36- (CanoelLod). 
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37. (Preseirfly Amended) Tlie uuiinliod of daimr£3<rj_l , whcrcan deteotmg the 

predciliiocl sequcDlial ttiplet comixndcs: 

conooidnading Bowce address, target device fiddrefiA^ source part and targe* 
device port fieWs of the SYN packet in a soTirce addMss-target device addicss- 
soiurce port-target device part first oider four-tiqjle and initializmg the stale code 
field; 

oancatenating somrce address, Uu get device address, source port and target 
d^icc port fields of the S YN/ACK packet in a reflection of the first order in a 
tai^ct device oddress-^urce address-target device port-source port neflecfted order 
fbur-tiiple and increnf^enting the initialized state code field; and 

concatenating source address, targpt device address, source port and target 
device port fields of the KST packet in a first order four-tuple and incremenLing 
the incremenxed state code field into Lhe sdcil value. 

38. (Previously added by amendmeiit) The method of cJaim .^7,, comprising: 
starting a purge time period^ 

purging the sifate code field upon a lapse of the purge time period. 







■Ti 


hi 



iL) The mcdiod of claim 37, -wiicrcin 

deLeclLui^ dio ue^tt sequcatial S YN/ACK packet oompdrtscs matching a look-iqi table key 
souT^ address to the SYN/ACK source address field. 



40. (Pres^tly Amended) The method of claim £26125 finthea: compnsing 

blocking future packets comprising the source address^ ttie target device adckess and a 
target dervice port address* 
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I 41 (Presently Amended) The mediod of ckim 13§]J5 fiiifh 

rali>limitjng flows of packets comprising ttc source address. 

42. [Cancelled) 

I 4 J* (Presently Amended) The mefhnd nfdaim-I43L25* wherein detect 

predefined .sequential triplet comprises: 

concatenating source address, target device address, source port and target 
device port fields of the SYN packet in a source addrcss-iarget device address* 
source pon-tai^et device purl (ixst order fbair-luple and initialing the state code; 

concatenating source address^ targjet device address, source pcnl and target 
dervioe port fields oflfae SYM/ACK packet in b TeSedmn nf ttie first order m a 
target device address^source address-target device port-source port reflected order 
four-tuple aad incremoitiDg the initialized state code; and 

concatenatliig source address^ target device address^, »uuruc purt axid target 
device port fields of the RST psiuket in a Jiiat oMcr four-tuple and icumcmcnting 
the incrciuented state code iitfo an alert vcdue, 

44. (Pt^nnc^ly added by am^iehnent) The method of cMxxl 43, comprising: 
starting a purse time period; 

purging the state code upon a lapse of the purge titoe period. 

45. (Previously added by amendment) The method of claim "13^ herein 
detecting the next sequential SYN/ACK packet comprises matching a Inok-np table key 
source address to the SYN/ACK Ac^urce address field. 

46. (Presently Amended) The m.etliDd of claim f3^] 30 flinher comprising 
blocldog future packets comprising llic wmce addiess, the target .device. address und a 
UuLgei device port address^ 
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47 (Presently Ameaded) The method of claim 135-liO.fiirthfir comprising 

rate-limitmg flows of packets comprislBg the source address. 

48. (CaDcelled) 

^ 9. (Preseirtly Amended) The jnethrd of cl aim-[4*Lill AvherdiL detediixg tie 

predefined sequential tiiplet comptis^es: 

concatenatrng source address, target device address, source port and target 
device port fields of the SYN packet in a souiuc taldi[>»;$-target device address^ 
source port-lazgcl device port first order £bui>tuplc atkd imtiQliaiig a stssrte code; 

conoatenatixig source address, target device address, source port ^nH isnr^ 
device port field* of the. S YN/ACK packet in a reflection of the first order in a 
target device address-souice address^target device port-somx:e port reflected order 
four-tuple and incrementing the initialized state code; and 

concatenating aource address, target device addre»$> source pun and target 
device port fields u£ (he R3T p<icKet la a, first order four-tuple and incrcmczituD^ 
the ijOKTOmcnted stute cod9 into an alert value, 

50. (Presently Am^ed) The method of claim 49, comprising: 
starting a purge time period; and 

purging the state code upon a lapse of the purge time pedod. 

5 1. (Previously added by am<^dment) The method of claim 49, >s^^erein 
detecting the next sequential S YN/ACK pnck^t compriRes matching a look-up table key 
saiiir.£> ^aH^ress^ to the SYN/ACK. source address field. 
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REASONS FOR ALLOWANCE 

2. The following is an examiner's statement of reasons for allowance: The prior art 
does not provide for, nor suggests providing for, an intrusion detection system utilizing a 
histogram tables which keep track of sessions utilizing a four-tuple hash (i.e. source 
address, source port, destination address, destination port) which is used as an index 
into the table. Once the index is found, the code value is initialized into a first state if 
the packet first received is a SYN packet, incremented into a second state if a packet 
received is a SYN/ACK packet, and incremented into a third state if the packet received 
is a RST packet as described in the specification. Once a RST packet has been 
received, an alarm message commensurate with the configuration with the system is 
generated once the RST state is received. For these reasons, in conjunction with the 
other limitations of the independent claims, puts this case in condition for allowance. 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Joseph E. Avellino whose telephone number is (571) 
272-3905. The examiner can normally be reached on Monday-Friday 7:00-4:00. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, David A. Wiley can be reached on (571) 272-3923. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more infomiation about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Joseph E. Avellino/ 
Joseph E. Avellino, Examiner 
December 15, 2007 



